100+ Free EX240 Practice Questions

Pass your Red Hat Certified Specialist in API Management (EX240) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which Red Hat 3scale component receives every API call before it reaches the backend and enforces policies, rate limits, and authentication?

System (porta)

APIcast gateway

Zync

Backend (worker)

to track

2026 Statistics

Key Facts: EX240 Exam

210/300

Passing Score

Red Hat

3 hours

Exam Duration

Red Hat

3scale 2.x / OCP 4

Product Version

Red Hat

$400

Exam Fee (varies)

Red Hat

60-100 hrs

Study Time

Recommended

3 years

Cert Validity

Red Hat

EX240 is Red Hat's specialty exam for engineers working with Red Hat 3scale API Management on OpenShift. The 3-hour, performance-based test requires 210/300 (70%) to pass. Candidates model APIs as Products and Backends, define mapping rules and methods, build Application Plans with usage limits and pricing rules, secure traffic with API Key/App ID-Key/OIDC and RH-SSO, configure the APIcast policy chain (CORS, headers, IP filter, rate limit, JWT claim check, URL rewriting, OAS validation), deploy self-managed APIcast on OpenShift, and drive everything declaratively via the 3scale Operator CRDs (APIManager, Tenant, Backend, Product, OpenAPI, ActiveDoc, ProxyConfigPromote). Certification is valid for 3 years.

Sample EX240 Practice Questions

Try these sample questions to test your EX240 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Red Hat 3scale component receives every API call before it reaches the backend and enforces policies, rate limits, and authentication?

A.System (porta)

B.APIcast gateway

C.Zync

D.Backend (worker)

Explanation: APIcast is the NGINX/OpenResty-based API gateway that sits in front of the upstream backend. Every request hits APIcast first, where it authenticates the call, applies the policy chain, and reports usage to the 3scale Backend before proxying to the upstream API.

2Which 3scale component is responsible for synchronizing OAuth client data with Red Hat Single Sign-On (Keycloak)?

A.Backend

B.System

C.Zync

D.APIcast

Explanation: Zync handles the asynchronous publishing of OAuth client credentials to identity providers. When a developer creates an application in 3scale and the product uses OpenID Connect, Zync pushes that client to RH-SSO/Keycloak so the IdP knows about it.

3In 3scale 2.x terminology, what is the difference between a Product and a Backend?

A.A Product is the public API exposed to developers; a Backend is one or more upstream services mapped under a Product

B.A Product is the upstream service; a Backend is the API exposed to developers

C.Product and Backend are aliases for the same object

D.A Product is for SaaS, a Backend is for on-premises

Explanation: In the modern 3scale model, a Product is the API consumers interact with (with its own application plans, mapping rules, and policy chain). A Backend represents an upstream private service. One Product can mount multiple Backends at different path prefixes, allowing API composition.

4A team has three internal microservices: users, orders, and inventory. They want a single public API at api.example.com that mounts each service under /users, /orders, and /inventory. What is the recommended 3scale modeling?

A.Three Products, one Backend each, exposed on different hostnames

B.One Product with three Backends mounted at /users, /orders, and /inventory

C.Three Backends with one Application Plan each

D.One Backend referencing three Products

Explanation: A single Product can mount multiple Backends, each at a distinct path prefix. This is exactly the API composition use case Backends were designed for: model each upstream microservice as a Backend and combine them under one Product with one set of plans, mapping rules, and policy chain.

5Which 3scale concept defines a measurable unit of API usage (e.g., 'hits', 'transactions', 'gigabytes-out') that can be limited or billed?

A.Mapping rule

B.Method

C.Metric

D.Application Plan

Explanation: A Metric is a measurable usage unit attached to a Product. Every Product has a built-in 'hits' metric, and you can define more (e.g., 'gigabytes-out', 'transactions'). Methods are children of the hits metric. Limits and pricing rules are attached to Metrics within Application Plans.

6A mapping rule is defined as 'GET /users/{id}' incrementing the metric 'get_user'. A request arrives at 'GET /users/42'. What happens?

A.APIcast rejects the call because the path is unknown

B.APIcast matches the rule, increments the get_user metric by 1, and forwards to the backend

C.APIcast forwards to the backend without incrementing any metric

D.APIcast increments only the hits metric, not get_user

Explanation: Mapping rules use placeholders in curly braces to match dynamic URL segments. 'GET /users/{id}' matches '/users/42', increments the configured metric (get_user) by the configured delta (default 1), and APIcast then proxies the call to the upstream backend.

7By default, how does APIcast match mapping rules against an incoming request URL?

A.Exact match on the full path including query string

B.Prefix match by default; the 'Last' flag makes the rule terminal

C.Regex match against the full URL

D.Case-sensitive exact match only

Explanation: By default mapping rules use prefix matching, so '/v1/users' matches '/v1/users/42'. The 'Last?' flag, when set on a rule, stops further mapping rule evaluation once it matches — useful when you have a hierarchy of rules and want to short-circuit matching.

8Which authentication mode passes a single value from the consumer that 3scale validates and uses to identify the application?

A.API Key

B.App ID and App Key

C.OpenID Connect

D.Mutual TLS

Explanation: API Key authentication is a single-credential mode where the consumer sends one user_key (in a query parameter or header) and APIcast resolves it to an Application. App ID/App Key requires two credentials. OpenID Connect uses a JWT issued by an IdP. mTLS authenticates the client certificate at the TLS layer.

9When a Product is configured with API Key authentication and the credentials location is set to 'as HTTP query string', which default parameter name does APIcast expect?

A.api_key

B.user_key

C.app_id

D.access_token

Explanation: For API Key authentication, 3scale's default credential parameter name is user_key. You can override it via the auth_user_key configuration field. APIcast reads it from the configured location (query string, header, or both) and uses it to look up the Application.

10Which two configuration keys define the parameter names for App ID/App Key authentication?

A.auth_user_key and auth_password

B.auth_app_id and auth_app_key

C.client_id and client_secret

D.api_key and api_secret

Explanation: For App ID/App Key authentication, the two credential parameters are configured via auth_app_id and auth_app_key. By default, applications use 'app_id' and 'app_key' as the parameter names; both must be sent on every call.

About the EX240 Exam

Performance-based certification for engineers operating Red Hat 3scale API Management on OpenShift. EX240 validates skills with the 3scale architecture (Admin Portal, Developer Portal, APIcast, Backend, System, Zync), API modeling with Products and Backends, application plans and metrics, authentication (API key, App ID/Key, OpenID Connect via RH-SSO), the APIcast policy chain (CORS, headers, IP filter, rate limit, JWT claim check, URL rewriting, OAS validation, upstream, caching), self-managed APIcast deployment, the 3scale Operator CRDs on OpenShift (APIManager, Tenant, Backend, Product, OpenAPI, ActiveDoc, DeveloperAccount, DeveloperUser, ProxyConfigPromote), Developer Portal CMS with Liquid templating, monetization, ActiveDocs, and traffic alerts.

Assessment

Performance-based hands-on tasks (no fixed question count)

Time Limit

3 hours

Passing Score

210/300 (70%)

Exam Fee

Varies by region (typically $400 USD) (Red Hat)

EX240 Exam Content Outline

10%

3scale Architecture and Components

Admin Portal, Developer Portal, APIcast gateway, Backend, System (porta), Zync

12%

Products, Backends, and API Modeling

Products vs Backends, API composition with multiple Backends, mapping rules, methods/metrics

12%

Application Plans, Methods, Metrics, and Limits

Basic/Pro/Enterprise plans, hits, custom metrics, usage limits per period, per-application overrides

16%

Authentication: API Key, App ID/Key, OIDC

auth_user_key, auth_app_id/auth_app_key, OpenID Connect with RH-SSO/Keycloak, JWT validation, JWKS

16%

Policy Chain (CORS, Headers, IP, Rate Limit, JWT, OAS, URL Rewriting)

apicast.policy.cors, headers, ip_check, rate_limit, jwt_claim_check, url_rewriting, oas_validation, upstream, caching

10%

APIcast Hosted, Self-Managed, and Embedded on OpenShift

Deployment models, configuration via THREESCALE_PORTAL_ENDPOINT and THREESCALE_DEPLOYMENT_ENV, mTLS to backends, custom Lua policies

12%

3scale Operator on OpenShift (CRDs)

APIManager, Tenant, Backend, Product, OpenAPI, ActiveDoc, DeveloperAccount, DeveloperUser, ProxyConfigPromote

Developer Portal (CMS, Liquid, Sign-up, OAuth)

CMS pages/layouts/partials/sections, Liquid templating, sign-up flow, SSO via SAML/OIDC

Monetization, ActiveDocs, and Operations

Stripe/Braintree, pricing rules, ActiveDocs, traffic alerts, analytics, OpenAPI imports

How to Pass the EX240 Exam

What You Need to Know

Passing score: 210/300 (70%)
Assessment: Performance-based hands-on tasks (no fixed question count)
Time limit: 3 hours
Exam fee: Varies by region (typically $400 USD)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

EX240 Study Tips from Top Performers

1Build a real lab with 3scale 2.x on OpenShift via the 3scale Operator (APIManager CR) — there is no substitute for hands-on policy-chain and OIDC practice on a live tenant

2Master the Product vs Backend distinction: one Product can mount many Backends at /users, /orders, /inventory for API composition

3Memorize the credential parameter names: auth_user_key (API key) and auth_app_id / auth_app_key (App ID/Key)

4Understand policy-chain ordering: CORS goes BEFORE the 3scale APIcast policy so OPTIONS preflights short-circuit without auth

5Drill the policies you must know by name: apicast.policy.cors, headers, ip_check, rate_limit, jwt_claim_check, url_rewriting, oas_validation, upstream, caching, liquid_context_debug

6Understand staging vs production proxy config — edits land in staging; promote to production via the Admin Portal or the ProxyConfigPromote CR

7Practice OIDC end-to-end: configure the IdP on the Product, watch Zync push the Application to RH-SSO as an OAuth Client, and verify JWT validation against the JWKS

8Know the 3scale Operator CRDs cold: APIManager, Tenant, Backend, Product, OpenAPI, ActiveDoc, DeveloperAccount, DeveloperUser, ProxyConfigPromote

9Learn the self-managed APIcast bootstrap variables: THREESCALE_PORTAL_ENDPOINT and THREESCALE_DEPLOYMENT_ENV (staging/production)

10Time yourself: complete full 3-hour scenarios so policy ordering, OIDC, and operator CRs are muscle memory under exam pressure

Frequently Asked Questions

What does EX240 actually test?

EX240 is a 3-hour performance-based exam on a live Red Hat 3scale API Management environment on OpenShift. You model APIs with Products and Backends, write mapping rules, build Application Plans with limits and pricing, configure authentication (API Key, App ID/Key, or OIDC via RH-SSO), assemble policy chains (CORS, headers, IP filter, rate limit, JWT claim check, URL rewriting, OAS validation, caching), deploy self-managed APIcast, and drive the platform declaratively with operator CRDs (APIManager, Tenant, Backend, Product, OpenAPI, ActiveDoc, ProxyConfigPromote). The exam is graded on whether the resulting tenant and gateway behavior meet the required state.

What is the passing score for EX240?

The passing score is 210 out of 300 (70%). Each task contributes to the total based on its success criteria. Always verify your work end-to-end before submitting — partial credit is generally not given on individual tasks, so a half-finished mapping rule or a misordered policy chain can lose the whole task.

Which 3scale version does EX240 cover?

EX240 currently aligns with Red Hat 3scale API Management 2.x on OpenShift Container Platform 4. The exam may be tied to a specific minor version of 3scale; check the official EX240 page before scheduling and practice on a matching version (the 3scale Operator and the toolbox container both have version-specific behavior).

What is the relationship between Products and Backends?

A Product is the consumer-facing API: it has its own application plans, mapping rules, policy chain, and public hostnames. A Backend represents an upstream private service (with its own privateBaseURL and metrics). One Product can mount multiple Backends at different path prefixes — this is the canonical 3scale 2.x pattern for composing microservices behind a single API.

How does 3scale integrate with Red Hat SSO (Keycloak)?

When you enable OpenID Connect on a Product with RH-SSO as the issuer, Zync watches 3scale events and synchronizes Applications to the corresponding OAuth Clients in the configured RH-SSO realm via the realm administration REST API. APIcast then validates incoming JWTs locally against the IdP's JWKS, extracts the client_id, and resolves it to the Application for authrep.

How do I deploy 3scale on OpenShift declaratively?

Use the 3scale Operator. Create an APIManager CR to deploy System, Backend, Zync, and APIcast staging/production. Create Tenant CRs to add new tenants. Create Backend, Product, OpenAPI, ActiveDoc, DeveloperAccount, DeveloperUser, and ProxyConfigPromote CRs to manage the tenant content. Store everything in Git and let Argo CD or Flux apply it for GitOps-driven 3scale operations.

Does EX240 expire?

Yes. Red Hat certifications are valid for 3 years. You can renew by re-taking EX240, by passing a higher Red Hat certification, or via other recognized renewal paths defined by Red Hat at renewal time.